Enterprise Mobility and Security Blog

RSS

Howdy folks,

Back in April, we blogged about the vNext release of Microsoft Identity Manager (a.k.a. “MIM”, the product formerly known as Forefront Identity Manager).

Today I have the privilege to let you know that we have released the first public preview of MIM. I’ve asked Sharon Laivand from our MIM PM team in Herzliya Israel to do a detailed write up the information of the new capabilities that are in preview mode. I am REALLY excited about many of the new capabilities in MIM, particularly the work to add Privileged Account Management support. This has been a BIG request from customers and I’m thrilled that we are going to be able to support these scenarios.

With that, I’ll turn it over to Sharon.

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Identity and Security Services Division

——————————–

Greetings everyone!

I’m really happy to have the opportunity to tell you about all of the new capabilities we’ve released today in the first preview of Microsoft Identity Manager.

A little background: What is Microsoft Identity Manager (MIM)?

MIM is the new name of the next major release for the formerly called – Forefront Identity Manager (FIM). We schedule MIM release to the first half of calendar year 2015.

MIM (like FIM 2010 R2) will be part of the Azure Active Directory Premium (AADP) offering. So if you are already an AADP subscriber, you can benefit from the existing FIM capabilities and upcoming MIM goodies.

MIM is an on-prem Identity and Access Management (IAM) system. As such it reduces the complexity of managing the identity lifecycle in organizations. This is done by automating some key IAM tasks, including:

  • Provisioning and synchronizing identities among heterogeneous directories and systems
  • Implementing IAM related workflows
  • Certificate and smart cards lifecycle management
  • Roles based access management
  • Self-service tasks (password reset, group management, etc…)

     

What will be new in MIM?

Our investments in MIM are grouped into three:

  • Privileged Access Management:

    Aimed at mitigating cyber-attacks and insider attacks which leverage the identity systems to spread in the organization. MIM will have a new set of capabilities designed to isolate, monitor and better protect the privileged users.

  • Hybrid IAM:

    As more and more organizations and information workers move to SaaS applications, the IAM systems expands to the cloud, but still exists on premises. Our goal is to make the cloud based and on-premises IAM systems, co-exist, and also coupled to deliver better IAM capabilities, regardless of whether the user or app being on premise or in the cloud (and this is what we call Hybrid IAM)

  • Modernization and ease of use:

    We are constantly updating our supported underlying server infrastructure (Windows Server, SQL, SharePoint, etc…) and improving our user experience

In addition to the new contents in MIM, we have changed the way we deliver it. As part of MIM, we will constantly provide you with preview executables which you can test in your lab environments. This will be a good opportunity for you to provide feedback BEFORE the product is released and an opportunity for us to apply feedback in a timely manner.

You can see more details about MIM in the recent TechEd Europe 2014 session.

Our first public preview is here

In last week’s TechEd MIM session, we promised that the public preview is almost here, and now it is really here! We call our new preview CTP (Community Technology Preview) and we expect to have some more refresh points (e.g. CTP2) in the coming months, lighting up more capabilities. The new capabilities available now in the CTP are detailed below.

 

New in this CTP: Privileged Access Management, Isolation and elevation

To make the story PAM short, you can watch this video demo.

With this new capability the privileged access is managed in two steps.

The first step is about better protection of
privileged accounts: the privileged accounts and groups are copied (or migrated) to a dedicated forest – the privileged forest. In addition, the privileged groups are automatically cleared from users after the pre-defined expiration time. This is done in an automated manner by running a PowerShell command let.

In the following screenshot, you can see what the migration PowerShell command-let looks like:

In addition to creating groups and users in the privileged forest, you will have to define a PAM role. A PAM role defines the PAM role name, the expiry time (TTL) and candidate users for this role. This could be defined in both MIM portal and by PowerShell. The following screenshots shows what it looks like in the portal:

 

The second step is about privileged access step-up: when someone wants to use a privileged access, she first has to step-up, this means obtaining the actual access privileges for a resource. This could be done by a PowerShell command-let or by using a new GUI that could be developed by using MIM’s new PAM REST API (The PAM REST API will be available in later CTPs). Under the hood, in the privileged forest, the system populates the right privileged group with the right privileged user. However, unlike in standard security groups, the access privileges will not stay there forever. The group membership and the high privileges will automatically be removed accordingly, after a pre-configured amount of time. This is a major part of our privileged access protection, called Just-In-Time (JIT) step-up.

In the following screen shot, you can see what the elevation PowerShell command-let looks like:

 

New in this CTP: Password Reset with Azure MFA

To make the SSPR with MFA story short, you can watch this video demo.

In FIM 2010 R2, the self-service password reset (SSPR) enabled two authentication gates:

  • Questions and answers
  • OTP

Now we add another authentication gate: Azure MFA.

With Azure MFA, the end-user who wishes to reset her password will receive a phone call from Azure, and will be prompted to enter a PIN code.

This combined MIM and AAD capability makes it easier to deploy phone based authentications, because as a MIM administrator you do not have to subscribe to a 3rd party SMS delivery provider or telecom carrier, you just have to join AAD.

For the information worker (IW), registering for SSPR and resetting passwords is just as easy as in FIM 2010 R2, as shown it the following screenshot.

For the IAM admin, lighting up this functionality is easy as adding an action to the SSPR flow, see this screenshot:

Note: AAD also has an SSPR functionality, some further details are here.

 

 

 

 

 

New in this CTP: Updates to Certificate Manager

To make the CM modernization story short, you can watch this video demo.

 

We have introduced a new Windows Store style application (modern windows application) that enables you to accomplish self-service tasks that have to do with smart cards, virtual smart cards, and certificate management.

So, for example you can enroll yourself a new virtual smart card in just a few clicks. You can also renew, reset the certificate PIN (unblock your smart card) or delete a certificate/smartcard.

This is what it looks like:

 

In addition, the modern windows application functionality relies on a new REST API. The new CM REST API can be used not only for the modern app, but also do develop your own CM customized portal.

The REST API is protected by OAuth2, and the access to the API can be authenticated by AD FS. Also, you can now require strong authentication to log onto the app, so the end- users will need more than a username and password to install a virtual certificate.

.

The new CM REST API enables another important scenario. An information worker can now enroll a new certificate/virtual smart card even when she his device is not domain joined. This brings me to a personal story:

Last weekend on my way to TechEd, my virtual smart card had expired, so I could not authenticate to my VPN, and therefore could not renew my virtual smart card (and therefore could not authenticate to my VPN…got it?)

Immediately I recalled that I take part of our internal CM Windows Store app preview, so I have used it to renew my virtual smart card, and gained back VPN access. Isn’t this awesome?

 

New in CTP2: Modernized Supported Platforms

In addition to the new capabilities, we have extended out platform support matrix to:

  • Windows server 2012 R2
  • Sharepoint 2013
  • SQL 2014
  • Exchange 2013
  • Visual Studio 2013 (to support extension development)
  • Exchange 2013

In addition, our PAM functionalities can make use of Windows Server 10.

 

What is next?

In this blog, we have told our story. Now it is time to hear you!

  • The most we could ask for is for you to download the preview executables, try them out by following the test lab guides and provide feedback. This will require a few hours of work and hosting a few VMs.

    You can see the executables and Test Lab Guides at our regular connect site:

    https://connect.microsoft.com/site433/Downloads.

    This site will also be used to collect your feedback for the CTP experience.

In addition:

  • We encourage you to email us for every comment or feedback.
  • You can learn more about MIM here
  • You can learn more about FIM here

 

Finally: Stay Tuned, some more capabilities and goodies for MIM are right around the corner, we plan to provide you with additional capabilities in the next 2-3 months.

Thank you, and see you in the next MIM Preview!

Sharon Laivand, Program Manager